Default Credentials Used¶
Overview¶
Mayhem was able to access a protected endpoint using a set of default credentials. Protected endpoints are expected to return a 4xx status code indicating a client error. A server will usually return "403 Forbidden" or "HTTP 401 Unauthorized" when invalid credentials are used.
Such a successful response indicates that an unauthorized user may access a sensitive endpoint using well-known default credentials, potentially leaking information or performing unauthorized operations.
Recommendation¶
Review the endpoint code to ensure that the required authentication code is running in all cases. If the endpoint does not require authentication, update the specification to indicate as such.
If the authentication checks are performed on this endpoint, review the code checking the provided credentials to ensure that default credentials are not accepted as valid. Ensure that the user-provided data is validated extensively before any authentication checks are performed. The sample response provided by Mayhem for API as part of the bug report may point you in the right direction when trying to debug the issue. The issue may be in the underlying library, if any, you are using to perform validation checks.